Security

Commentary uses GitHub App user authorization as the default sign-in path and supports personal access tokens where workflow requirements make that necessary.

Authenticated actions, such as commenting, replies, and private repository access, depend on the GitHub identity and repository access available to the connected user. Interactive review actions continue to run as that connected GitHub user.

Commentary uses Azure-backed infrastructure to host and operate the service. Tokens are intended to remain encrypted at rest, and app-native review state is separated from raw provider content where practical.

Commentary also maintains rate-limit handling, request telemetry, and operational monitoring intended to detect service failures and abnormal behavior quickly.

Commentary is an early-stage developer tool. Some controls are still evolving, and certain legal, billing, and operational processes remain founder-reviewable placeholders rather than final enterprise commitments.

Users should avoid storing secrets or unrelated regulated data in review comments unless the repository workflow itself is already approved for that content.

To report a security concern, contact support@commentary.dev and include enough detail for reproduction, impact assessment, and a secure response process.